How to Make Your Website Compliant with the GDPR – Step 3: Determine the legal basis for data collection activities

With less than 10 days to go until GDPR compliance, here is the third step in your process to getting your website ready for the legislation on the verge of going into effect.

In our last post, we covered step 2, which is to Conduct a Site-wide Profiling Analysis. In this post, we’ll cover how to better understand the data you’re collecting on your website and whether you have a legal basis to do so.

The first thing you need to understand with regard to website data collection under the GDPR is that personal data—including IP addresses, device identifiers and anything else that can be used to identify an individual—can only be collected if you have a “legal basis” to do so.

What constitutes “personal data”?

It’s any information that can identify an individual, such as name, ID number, location data, online identifier (including email address), and more.

Beyond this, “sensitive” personal data is defined as any that reveals a data subject’s characteristics or preferences, such as ethnicity, political views, sexual orientation, and criminal or health records.

These definitions do not simply include customer data, but also employee data such as CVs, financial information, and more.

That all makes sense, right, but is there a basis in which companies can still use “personal data” under the GDPR? The answer is yes, a company can collect, process, and store personal data as long as specific guidelines are followed:

The reason for collecting, processing, and/or storing personal data must be clearly stated to the data subject, and you need to obtain the specific and unambiguous consent of the clients/users/employees or other individuals whose data you’re handling.

The amount of data you collect needs to be limited to the reason you’re collecting it in the first place; for example, if you need to deliver a requested service or good to someone, all you should collect is a name, address, and maybe a phone number.

Lastly, you’re obligated to protect this data by setting up a privacy compliance framework – the processes, policies and safeguards you’ll use to ensure its integrity and confidentiality.

Under the GDPR, there are six legal, lawful ways in which a marketer can collect personal data.

Definitions:

Consent: The data subject has given consent to the processing of personal data for one or more specific purposes.

Contract Performance: Processing is necessary for the performance of a contract to which the data subject is party. For instance, if a data subject provides an employer with banking information for purposes of automated deposit of paychecks, that’s a contract that’s legal under the GDPR.

Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject, such as regulation; a company controller needs to collect and pass along employee data for purposes of tax reporting, for example.

Vital Interest: Processing is necessary in order to protect the vital interests of the data subject or of another natural person. An example? A person is admitted to a hospital with life-threatening injuries from an auto accident; disclosure to the hospital of that person’s medical history is necessary in order to protect his/her vital interests.

Public Interest: Processing is necessary for the performance of a task carried out in the public interest, such as the tasks of public authorities and government agencies, such as the investigation of a crime; it also allows collection of data for medical, scientific or historical research purposes.

Legitimate Interest: Processing is necessary for the pursuit of legitimate interests of the controller or third party, but a purely economic interest is no longer by itself an adequate justification.

Absent any a valid legal basis to collect someone’s personal data, then you need to get their consent. Once you’ve assessed each data collection activity happening on your website, you need to begin to create a process for obtaining permission from anyone that falls into the “Consent” bucket. As mentioned before, consent must be specific to the actual data being collected, affirmative and unambiguous. In the world of digital advertising, where data is collected and exchanged in nanoseconds, companies need to take a very close look at what’s happening behind the scenes of their website by working with their marketing ops team to understand the full scope.